Wired Intelligent Edge (Campus Switching and Routing)

DUR Not Working For MAC-Based Clients -- Event Log Shows User Role Is Invalid

MVP Expert
MVP Expert
Problem:

When switch is configured as downloaded user role with ClearPass (CPPM), in certain condition following log event may be generated.

 

W 07/11/19 00:48:53 05204 dca: Failed to apply user role TEST_DUR-3045-1_7Z4q to macAuth client 005056831001 on port 2: user role is invalid.

 

In the above log event client MAC is 005056831001 and DUR name is TEST_DUR-3045-1.

 



Diagnostics:

When switch is configured as downloaded user role with ClearPass (CPPM), in certain condition following log event may be generated.

 

W 07/11/19 00:48:53 05204 dca: Failed to apply user role TEST_DUR-3045-1_7Z4q to macAuth client 005056831001 on port 2: user role is invalid.

 

In the above log event client MAC is 005056831001 and DUR name is TEST_DUR-3045-1. Following is couple of debug message for mac-based which indicates similar message.

 

0000:00:48:53.15 MAC  mWebAuth:Failed to apply user role TEST_DUR-3045-1_7Z4q to macAuth client 005056831001 on port 2: user role is invalid.

0000:00:48:53.30 MAC  mWebAuthSmiley Tongueort: 2 MAC: 005056-831001 [58] assigned role 'TEST_DUR-3045-1_7Z4q' failed, attempting to apply initial role.

 

Following debug can be used to narrow down issue.

 

SW-1# debug destination session

SW-1# debug destination buffer

SW-1# debug security radius-server

SW-1# debug security ssl          

SW-1# debug security port-access mac-based include port <port_number>

 

Following is the output of SSL debug message -

 

0000:00:48:51.28 SSL  mcppmTask:handleClientHandshakeMessages() returns status =

0000:00:48:51.37 SSL  mcppmTask:-1

0000:00:48:51.41 SSL  mcppmTaskSmiley FrustratedSL_SOCK_receive() returns status =

0000:00:48:51.48 SSL  mcppmTask:-1

0000:00:48:51.52 SSL  mcppmTaskSmiley FrustratedSL:doProtocol() returns status =

0000:00:48:51.59 SSL  mcppmTask:-1

0000:00:48:51.63 SSL  mcppmTaskSmiley FrustratedSL_negotiateConnection() returns status =

0000:00:48:51.71 SSL  mcppmTask:-1

0000:00:48:51.74 SSL  mcppmTaskSmiley FrustratedSL_closeConnection() from AppType:

0000:00:48:51.82 SSL  mcppmTask:4

 

Above messages of SSL debug suggests TLS handshake between switch and radius-server (CPPM) didn't happened. This can be because of missing root certificate in switch.

 

 



Solution

Extract root certificate from CPPM HTTPS Certificate and install it on switch.

 

---------------Install Root Certificate---------------

 

SW-1(config)# crypto pki ta-profile CPPM.                       //crypto pki ta-profile <profile-name>

SW-1#copy tftp ta-certificate CPPM 192.168.1.15         //copy tftp ta-certificate <profile-name> <TFTP-Server-IP-ADDR>

Version history
Revision #:
1 of 1
Last update:
‎07-27-2019 10:18 AM
Updated by:
 
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: